Re: open cloud security virus - please HELP!

Or you can find the file OpenCloud Security.exe﻿ and rename it to say bad.exe and restart the PC, now the registry can't find the file due to the renaming so the FakeAV doesn'r load, allowing for easier cleanup.

Re: open cloud security virus - please HELP!

From your Start Menu, select "Search." Choose "All Files and Folders," then type (or Copy/Paste) "OpenCloud" in the box for "All or part of the file name:"

When you find it, you can right click it and rename it as Quads suggests. Then reboot your PC and apply the cleaner of your choice, by the sound of it. Malwarebytes has a free tool that plays well with Norton; Norton Power Eraser is also available here, but should only be used if something like malwarebytes doesn't do the trick (which, if I'm reading Quads' post correctly, seems unnlikely--especially once you've renamed the .exe)...because Power Eraser scans very aggressively, and is more likely to mark files for removal that you'd actually want to keep.

Now Rename the file OpenCloud Security.exe﻿﻿﻿﻿ to like bad.exe by right clicking the file and selecting Rename. Here is a screenshot below showing the file in the folder. The resolution etc. shown in the screenshot is because I am in Safe Mode.

After Renaming the file to say bad.exe you can now Restart the PC back into Normal Mode and the FakeAV doesn't load. Programs like Malwarebyes and Superantispyware can now be installed, updated defintions and run a Full scan to clean the infection up.

Re: open cloud security virus - please HELP!

I had the Open Cloud AV as well. I'm not saying this will work for everyone, but I started up my computer in Safe Mode (F8 during boot up) and simply did a "system restore" to a point in time previous to acquiring that virus. It worked.

Re: open cloud security virus - please HELP!

System restore can damage a lot of other apps. It is best to follow Quads's instructions to the letter. You damaged the fake AV so that it is no longer active, but a system restore might not clear all the files.

Re: open cloud security virus - please HELP!

Tried everything written and still not working. Windows XP. Cannot find the Open Cloud files (normal or safe mode) Cannot perform the system restore in safe mode and when switch back to normal the bogus anti-virus blocks it. Ran a Norton 360 scan in safe mode and nothing happens

Re: open cloud security virus - please HELP!

I have been able to run Hijackthis and Malwarebytes with the FakeAV (OpenCloud Security /Antivirus) running at the time.

Here is a screenshot showing the FakeAV and Hijackthis running,

The FakeAV allows files named iexplore.exe to run as it thinks that is Internet Explorer, so in fact fooling it. You do have to make sure that in the Folder Options (see previous instructions) the Hide file extensions for known file types﻿ is unticked / unchecked, because if the user has it selected to not see the extension (.exe) and the user renames the file by typing iexplore.exe in actual fact you will end up with iexplore.exe.exe which will be blocked.

I used the executable version of Hijackthis which does not have to be installed but run from the Desktop, after at some point remaning hijackthis.exe to iexplore.exe. Hijackthis will now run.

You are to go to the Main Menu then the Open Misc. the tools Section from there select Open Process Manager, this will list running processes, which then allows you to select and kil the FakeAV process, which is also shown in the screenshot.

You are then able to install, update and run a Full scan no problems.

I also tried the technique to run Malwarebytes and Superantispyware Free.

Malwarebytes, you just have to rename the installer package iexplore.exe, install Malwarebytes then go into the Malwarebytes Program folder (eg. C:\Program Files\Malwarebytes' Anti-Malware﻿\mbam.exe) and rename mbam.exe to iexplore.exe and then just run the renamed file.

Re: open cloud security virus - please HELP!

Yeah thats exactly what I see Popping up! Open cloud Security program.

I found out its a virus.

I want to thank everyone for all their help!

I could not get the malwarebytes program to work. Every time I went to their site it sent me to cnet and for soome reason I could only download a program called ARO. I'm not sure why malwarebytes would do that.

Re: open cloud security virus - please HELP!

There are now two new names for this FakeAV family, AV Guard Online﻿ and Security Guard 2012﻿ but both removal ways by me above still work, except the file names are now [random].

Also I will say this here so other forums know, saves me getting PM's, It's OK to use my instructions, either of them, for anyone on the web, who is trying to remove the family of FakeAV or someone trying to help someone remove there infection.

It is not a Virus, It is a FakeAV (Rogue) and is easier then some nasties I have battled in the past.

Re: open cloud security virus - please HELP!

The path for this family of FakeAV's has changed, In trying AV Guard Online the .exe is named as random characters but is also now located in the system32 folder. It has a Run Registry entry for loading the .exe but that means the file won't load in Safe Mode.

I decided to try the iexplore.exe trick a go and here is a screenshot below. (I have overlapped the 3 programs to make the screenshot smaller while still having the writing readable).

Open the Image / Screenshot in a new Tab to see it at full size.

In the Hijackthis process list its the last 3 entries we are looking at. The first is the FakeAV (AV Guard Online) process running from the system32 folder.

The second is Malwarebytes renamed to iexplore.exe and running.

The third is Hijackthis remaned to iexplore.exe and running from the Desktop.

Re: open cloud security virus - please HELP!

My computer has also been infected with the Guard Online virus. Quads, I have tried installing malwarebytes with the iexplore.exe renaming and it isn't working. Also I cannot locate the exe. files in any folder (in safe mode) and therefore cannot follow your first suggestion. Please help, this virus or whatever you call it is very annoying. I have windows xp. Every time i run a scan it goes for about ten seconds and then shuts off. thank you in advance

Re: open cloud security virus - please HELP!

"Every time i run a scan it goes for about ten seconds and then shuts off﻿" That sounds like zeroaccess in the background, as it doesn't matter what you name the security program file, even iexplore.exe, zeroaccess is not as dumb as the FakeAV and still knows it's a security program and thus kills it.

Re: open cloud security virus - please HELP!

Quads is the Ace here, when it comes to the really dangerous stuff like rootkits. In his absence--given your time constraints--you might try the recommended forums, where a real malware expert can work with you one-on-one in real time to dig these things out. Some of our best folks here have checked them out to make sure that they are capable, and competent to deal with rootkits and other nasties. Most of them handle tricky Windows problems as well.

Just go to the forums; don't click on any of the ads! Note that some of these forums (like bleepingcomputer) require that once they begin working with you, you not consult any other sources on your infection until it's resolved--and will close your case if you do. This is important, to avoid confusion (and really bad outcomes) resulting from trying to follow several people's advice at once! LOL

I hope that it's not too close to your departure for this to do some good. Best of luck, and please let us know how it turns out!

Re: open cloud security virus - please HELP!

i don't know if i have even time for that. if i turn off my computer for the next two weeks and tackle the problem when i come back is that any more dangerous? does the virus do anything while the computer is shut down?

Re: open cloud security virus - please HELP!

I did this in Normal Mode (not Safe Mode) with zeroaccess also installed in the background.

In Normal Mode you will find the FakeAV will always popup with warnings and trying to get you to buy it. this gets annoying during the breaking process but keep closing the window or clicking "No Thanks" "Continue unprotected" etc.

With taskmgr.exe, right click the file and select Copy from the menu. Then say on the desktop right click and select Paste. Now you have a taskmgr.exe on the desktop. Now right click the Desktop copy and rename the file iexplore.exe.

What does this do.

1. The file taskmgr.exe is not a security program so that if the PC has zeroaccess as well it does not get blocked by the tripwire, zeroaccess allows it through.

2. Renaming taskmgr.exe to iexplore.exe for the desktop copy also means the FakeAV family in question also allows it through so doesn't block it either.

Remember I did this in Normal Mode, but here is a screenshot after clicking and running the desktop copy.

3 entries of note for me in the screenshot above is,

iexplore.exe, This is the running Task Manager renamed.

jccc52iib...... This is the FakeAV running as a Random file name

169439....:4103..... This is my copy of Zeroaccess showing in the list, there is nothing that can be done about this one at this point.

Re: open cloud security virus - please HELP!

I have used Norton 360, but it was incompatible with my college's wifi, and started using the UAHuntsville provided McAffee. Then last week I got hit with the OpenCloud virus. I muddled through trying to use the Mcaffee software, then after a while I got frustrated and hit it with a system restore. Today I got the popups again, did a search or two, then hit it with System Restore again. I also just re-installed Norton, because the IT dept at school claims 360 should work now, and I never had any trouble with it, and I use it on my other computers. My questions... Does System Restore remove all traces of the virus? Was the recurrence due to reinfection? Do I need to go through msconfig to check?

Re: open cloud security virus - please HELP!

I have seen a lot of malware and viruses but Open Cloud AV and its brother AV Guard are the worst. They give us a taste of what an intelligently planned cyber attack could do. I have been trying to eliminate Open Cloud AV on a laptop for someone else, none of the regular methods worked. I am not sure if it was coincidence, but th emore I worked on it the more barriers that were put up. After two runs of Malwarebytes a loopback proxy server blocked internet access, on the third round the Malwarebytes scan was trounced by a page fault and the trackpad driver trashed. I am now going to apply your steps, will report back. Thanks

PS - I hope Norton and the other AV makers understand that this kind of malware is more destructive and time consuming than any simple virus.

Re: open cloud security virus - please HELP!

The taskmgr appears to be replaced with a fake version that shows task, status, and a blank column, with no tasks running, no menu, etc. I am going to copy a valid win 7 taskmgr file from another computer by burning a cd to prevent transfer to the clean machine

Re: open cloud security virus - please HELP!

The FakeAVs, by themselves, are "scareware" -- basically digital protection rackets designed to get you to pay them to stop telling you you have all these infections you never really had in the first place. They're annoying, but as Quads says relatively straightforward to remove. I am not a malware expert, but I'm confident I could get rid of these with the instructions he's already posted on other threads here if I needed to.

Zeroaccess is a rootkit. Rootkits often come "bundled" with other malware, and function to protect it, hiding it from your Operating System, interfering with any security software you might have installed, and often preventing you from visiting the big security software websites or downloading their products. Zeroaccess is particularly dangerous because it contains a tripwire, which brings everything to a grinding halt if your security software does find it.

If you have the rootkit, System Restores, Norton, MacAfee, Malwarebytes, and the like are NOT going to rid you of it.

You're going to need expert help. Here, that would be Quads. There are other forums that can help you with this also, where a real malware expert can work with you one-on-one in real time to dig these things out. Some of our best folks here have checked them out to make sure that they are capable, and competent to deal with rootkits and other nasties. Most of them handle tricky Windows problems as well.

Just sign up for one of their free accounts, where required, and go to the forums; don't click on any of the ads! Note that some of these forums (like bleepingcomputer) require that once they begin working with you, you not consult any other sources on your infection until it's resolved--and will close your case if you do. This is important, to avoid confusion (and really bad outcomes) resulting from trying to follow several people's advice at once! LOL

Re: open cloud security virus - please HELP!

I have been following this and similar threads for a while. They clearly show the problems that can be caused by the FakeAV family and zeroaccess﻿. I am also pleased to say the forum seems to show how to get around them, but with time and care.

My question is - how do I avoid getting them in the first place? Should Norton 360 (up to date) keep me safe or do I need to do anything else?

Re: open cloud security virus - please HELP!

A lot of scareware, like less dangerous (but often equally annoying) PUPs, gets installed by the user, by clicking on a Web ad for what is presented as free or inexpensive security trialware. So our FIRST line of defense is practicing safe browsing/computing habits. For most, having Norton 360 as our SECOND line of defense will be adequate.

You absolutely SHOULDN'T install a second REAL-TIME security product, as these programs tend to conflict and perceive each others scans as intrusion attempts. And in over twenty years, I haven't found anything better in this role than Norton. For those desiring a THIRD layer of defense, however, a good NON-real-time product like the FREE VERSION of malwarebytes is an effective, compatible product. Norton Power Eraser is also solid in this role, but scans very aggressively and is somewhat prone to flagging files you may actually WANT as targets for deletion.

Finally, it's important to recognize that no solution is 100%, if only because of zero-day threats that no one has encountered before. For THESE, the final layer in your effective defense is forums like this, where true experts like Quads can work with you to get down into your Operating System and pull the little nasties out by their roots. Several other forums like this also exist, which you may have seen me link elsewhere.

A layered defense is the best defense, because it has no single point of failure.

Re: open cloud security virus - please HELP!

I find the best protection is Firefox with the NoScript add-on. NoScript prevents any scripts from running. I checked a bad webpage for a user with Firefox and again with Internet Explorer. There was a malicious toolkit on the page but was only apparent using IE. Scripts are difficult for antivirus to block because of the need for Java and similar apps.

Re: open cloud security virus - please HELP!

If it found it, yes. And there may be earlier versions without the tripwire; I don't recall for sure. I am not a malware expert, so if you think you may have a live infection that Norton 360, malwarebytes, and Norton power Eraser are not finding or successfully extracting, it is best to refer you to the recommended forums, where a real malware expert can work with you one-on-one in real time to dig these things out. Some of our best folks here have checked them out to make sure that they are capable, and competent to deal with rootkits and other nasties. Most of them handle tricky Windows problems as well.

Just sign up for one of their free accounts--where required--and go to the forums; don't click on any of the ads! Note that some of these forums (like bleepingcomputer) require that once they begin working with you, you not consult any other sources on your infection until it's resolved--and will close your case if you do. This is important, to avoid confusion (and really bad outcomes) resulting from trying to follow several people's advice at once! LOL